SHA1 password problem while migration from FluxBB to phpBB

Converting from other board software? Good decision! Need help? Have a question about a convertor? Wish to offer a convertor package? Post here.
Doc Davluz
Registered User
Posts: 2
Joined: Sun Mar 03, 2024 9:29 pm

SHA1 password problem while migration from FluxBB to phpBB

Post by Doc Davluz »

I'm migrating a very old forum running under FluxBB (a fork of PunBB). The process has run well. I'm just blocked with a tricky problem and I don't understand how to fix it.

User's password in the FluxBB database are SHA1 ciphered. I made a test with my own password and, looking to the login.php of FluxBB, it's the sha1() function that is used.

I look quite deeply in how password authentication works in phpBB and it's based on a mechanic where a passwords manager class defined in passwords/manager.php delegates the check of the password to one of the drivers stored in passwords/driver. The choice of the right driver is based on the prefix of the hashed password found in the database for the user. For instance, a $sha1$ prefix will use the sha1.php driver, perfect for my use case.

Thus, I copy all password from my FluxBB users tables to my phpBB users one, prefixing them by the $sha1$ string. Debugging the thing, it seems to trigger the right driver. But my authentication failed due to a mismatch with the length of the hashed stored in the database. Indeed, here is the code of the check() function of sha1.php driver:

Code: Select all

public function check($password, $hash, $user_row = array())
{
	return (strlen($hash) == 40) ? $this->helper->string_compare($hash, sha1($password)) : false;
}
As you can see, it's expecting a 40 characters string. But, with the $sha1$, logically, the $hash is 46 characters long.

I also check the password manager class and neither it removes the prefix from the hashed database password before calling the check() method, nor it seems to prefix with the right one in its hash() method.

I have no clue on how to import SHA1 encrypted passwords in my installation and make the whole thing works. I'm pretty sure, looking at the code, that's possible, but cannot find how.
Doc Davluz
Registered User
Posts: 2
Joined: Sun Mar 03, 2024 9:29 pm

Re: SHA1 password problem while migration from FluxBB to phpBB

Post by Doc Davluz »

OK, I don't know if I'm right, but it seems there's a bug. I made a step by step execution with a PHP debugger and cannot find another explanation.

Authentication with SHA1 ciphered passwords in the database work with the following code in sha1.php:

Code: Select all

public function check($password, $hash, $user_row = array())
{
	return (strlen($hash) == 46) ? $this->helper->string_compare($hash, '$sha1$' . sha1($password)) : false;
}
Two modifications:
  • strlen comparison should be made toward a 46 characters $hash and not a 40 one, due to the $sha1$ prefix,
  • string_compare comparison should be preceded by the concatenation of the $sha1$ prefix to the shaonized password.
With this code modification (and the prefixing in the database of all user passwords by the $sha1$ prefix), my migration is transparent. Users can connect with their current password and its ciphering is changed in the database on the go to bcrypt, the default one, by phpBB.

Return to “[3.2.x] Convertors”